Skip to main content
Eptura Knowledge Center

Eptura System Security and Privacy

Our Commitment to Information Security and Privacy

At Eptura, we take information security very seriously. Our business depends on it. It is our legal and fiduciary duty to supply trustworthy services to our clients and in doing so, be responsible custodians of their data, preserving its:

  • Confidentiality: ensuring that information is accessible only to those who are authorized to have access
  • Integrity: safeguarding the accuracy and completeness of information and processing methods; and
  • Availability: ensuring that authorized users have access to information when needed.

To this end, Eptura continues to invest in the continuous improvement of its security practices and formal certifications and accreditation against recognized industry standards.

Our Information Security and Privacy Leadership

Eptura has a dedicated Information Security and Privacy Manager (ISPM also known as Data Protection Officer). Our ISPM oversees of the operations and continuous improvement of our information security and privacy program.

The ISPM reports into our Chief Information Security Officer (CISO). Our CISO reports directly to the CEO and chairs the Information Security Governance Group, comprised of executives across the business who are focused on the continuous improvement of our services and security posture.

Risk Management Approach

Eptura takes a risk management approach to information security. The Risk Management Plan is documented in our Information Security Policy.
All information security risks/vulnerabilities are risk assessed by impact and probability. The resulting risk assessment score drives the timeline for remediation. See the ISP for details.

Standards and Certifications



ISO 27001



SOC 2 certification provided by AWS and Azure

General Data Protection Regulation (GDPR)


Information Classification and Handling

The system is typically used to store and process the following information data types, all of which would typically be classified as 'Restricted':

  • Leased and owned properties, including floorplans.
  • Organizational structure, including cost-center hierarchy.
  • Personnel information, including name, title and contact details.
  • Allocation information, including allocation of space (desks) to cost centers and allocation of work points to staff members.
  • Utilization information about what properties are being used, and by whom.
  • Asset information, including the names and locations of corporate assets.
  • Request information, including requests made to the facilities team for services.
  • Financial information relating to properties, assets and requests.

All Information Assets will be classified and handled in terms of legal requirements, criticality and sensitivity to unauthorized disclosure and modification. The classification levels and controls apply to information, whether online or hardcopy and applies to IT assets storing the information. All Personally Identifiable Information (PII) provided by Eptura's clients are classified as 'Restricted'. This classification is Eptura's highest classification rating.

The following types of data that would normally be considered 'sensitive' or 'top secret' are NOT typically stored or processed by the system:

  • Data about your customers.
  • Financial data about your personnel.
  • Social security numbers or other government identifiers.
  • Credit card numbers or bank records.
  • HIPPA or health-related data.

Information Security Policy (ISP)

Eptura Information Security Policy (ISP) is used as the foundation and basis for Eptura's company-wide security strategy. The ISP has been approved by management and distributed to all Eptura employees and contractors. 

The policy covers:

  • Roles & Responsibilities
  • Segregation of Duties
  • Mobile Device Policy
  • Remote Working Policy
  • Risk Management Policy
  • Monitoring
  • Internal & External Audits, including:
  • Vulnerability Scanning
  • Penetration Testing
  • Certifications & Accreditations
  • Acquisition & Disposal of Systems & Services
  • Information Security in Project Management
  • Secure Software Development Policy, including:
  • Outsource Development
  • Secure System Engineering Principles
  • Change Control Procedures
  • System Configuration & Hardening
  • Use of Test Data
  • Human Resource Security, including:
  • Background checks
  • Drug testing
  • Pre-employment checks
  • Information security & awareness training
  • Termination or change of employment
  • Disciplinary process
  • Asset Management
  • Acceptable Use of Information Assets
  • Information Classification & Handling
  • Access Controls
  • External Access to Eptura Network and Systems
  • User Registration & De-Registration
  • Internal Operations and Service Deliver, including:
  • Standard Operating Procedures
  • Change Management
  • Capacity Management
  • Separation of Environments
  • Protection from Malware
  • Backup
  • Retention Policy
  • Logging and Monitoring
  • Clock Synchronization
  • Information Security Incident Management
  • Business Continuity & Disaster Recovery
  • Network Security, including encryption of data in transit & at-rest.
  • Physical & Environmental Security

Privacy Policy

A copy of the our Privacy Policy can be found at:

Security and Privacy Frequently Asked Questions

Operational Controls





Do you have an Information Security Policy (ISP)

Yes. See above.


How is the ISP communicated throughout the organization?

The ISP is available via the intranet and it is emailed to all employees each year. Additionally, all employees must complete annual security awareness training. This includes training on the ISP.


Do you require confidentiality agreements to be signed by all staff and contractors?

Yes. Confidentiality clauses are included in all employee and contractor agreements.


Do you have a risk management program in place?

Yes. We take a risk management approach to information security. The ISP details our risk management policy.


Is there an internal unit responsible for identifying and tracking compliance with regulatory issues relating to information security and privacy?

Yes. Responsibility lies with our Information Security & Privacy Manager.


How often is the Information Security Policy reviewed?

With every significant change and at least every 12 months.


Do you use securing coding practices?

Yes, Secure coding practices are incorporated into all life cycle stages of an application development process. OWASP and other industry best practices are followed.


Do you perform regular penetration testing?

Yes. We engage an industry recognized security consultant to perform an independent "ethical-hacking" style penetration test against the Eputra systems and infrastructure whenever there is a major change and at minimum once a year. Any vulnerabilities identified are remediated as per our risk management framework. A summary report on our latest penetration test results can be provided upon request.


Have there been any regulatory or legal findings regarding privacy or data security related to your organization over the last 3 years?



Are you ISO27001 Certified?

Yes, Eputra is certified to ISO27001. 


Are you GDPR compliant?

Yes, we comply with the requirements of the GDPR.


Do you have a Data Protection Officer (DPO)?

Yes. Our Information Security and Privacy Manager is our designated DPO.


Is your organization PCI certified?

No. PCI is not required as we don't store or process credit card information.


Do you have a Major Incident Management Process?

Yes, this procedure describes the overall process for responding to major incidents impacting Eputra information systems and Clients. It defines the roles and responsibilities of participants, the classification of incidents and escalations and reporting requirements.

Technical Controls





Is Client Data encrypted in transit and at-rest?



How are backups stored?

Electronically on encrypted AWS S3 object store. Physical media is not used.


Is Client Data co-mingled with other client's data?

No. Each customer has their own logically separated database.


Do you conduct vulnerability scans?

Yes. We leverage the Nessus tool to perform monthly scans of all IT infrastructure. Any vulnerabilities that are identified are remediated according to our risk management framework.


Do you perform application security scans?

Yes, we use a combination of static and dynamic code scanning tools. Any vulnerabilities that are identified are remediated according to our risk management framework.


Is your corporate network used to transfer or process Client Data?

No. Client Data is only stored and processed within the AWS hosting environment.
Firewalls separate our corporate network from our hosting networks.